CISA Urges iOS Patch to Stop Crypto-Theft Exploits

A critical security alert from U.S. authorities highlights an urgent need for iPhone users to update their devices. The Cybersecurity and Infrastructure Security Agency (CISA) has mandated that federal agencies patch three specific iOS vulnerabilities, which are actively being exploited by hackers to steal cryptocurrency and conduct espionage. These flaws are part of a larger collection targeted by a sophisticated exploit kit known as Coruna, demonstrating how advanced cyber weapons are now being used in widespread criminal campaigns.

Researchers from Google’s Threat Intelligence Group recently detailed the Coruna kit, which leverages multiple exploit chains to attack a total of twenty-three iOS security weaknesses. Many of these vulnerabilities were previously used in undisclosed zero-day attacks. The kit equips threat actors with powerful capabilities, including methods to bypass critical iOS security features like Pointer Authentication Codes, escape the device’s application sandbox, and circumvent the Page Protection Layer. This technical arsenal ultimately allows attackers to execute remote code through the WebKit browser engine and escalate their access to the highest kernel-level privileges on compromised iPhones.

It is important to note that these exploits are ineffective against the latest iOS versions. Furthermore, potential targets can gain protection by using Safari’s private browsing mode or by enabling Apple’s Lockdown Mode, a feature specifically designed to counter sophisticated spyware. Despite these safeguards, the widespread exploitation makes patching an immediate priority.

The Coruna toolkit has been observed in use by a diverse set of malicious groups. Google’s findings indicate activity from a customer of a commercial surveillance vendor, a hacking collective suspected of having ties to the Russian state, and a financially motivated threat actor based in China. This Chinese group, tracked as UNC6691, deployed the exploits through counterfeit gambling and cryptocurrency websites. The ultimate goal was to install malware capable of draining the digital wallets of unsuspecting victims.

Security experts at iVerify have analyzed this trend, noting that Coruna represents a dangerous migration of technology. Sophisticated spyware capabilities, once the exclusive tool of commercial surveillance firms, have now proliferated to nation-state hackers and large-scale criminal operations. This diffusion lowers the barrier for entry, enabling more attackers to launch highly invasive campaigns.

In response to the active threats, CISA formally added three of the Coruna-related iOS vulnerabilities to its Known Exploited Vulnerabilities catalog. Under the authority of Binding Operational Directive 22-01, the agency has given Federal Civilian Executive Branch agencies a deadline of March 26 to apply the necessary patches and secure their systems. The directive offers clear instructions: apply the vendor-provided mitigations, follow specific guidance for cloud services, or discontinue using the product if no fixes are available. CISA emphasized that such vulnerabilities are common vectors for malicious activity and present a substantial risk to government networks.

While the binding order applies specifically to federal agencies, the warning extends far beyond the public sector. CISA strongly urges all private organizations and individual users to treat these iOS flaws with high priority. Installing the latest security updates from Apple is the most effective step to protect devices from these advanced crypto-theft and spyware attacks.

(Source: Bleeping Computer)